Good Afternoon,
I am attempting to upgrade my openldap 2.4.x installation to the latest release 2.4.24. I am compiling from source. I can start slapd as the root user but I am unable to start as a non-root user (e.g. ldap). I am receiving the following error message:
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted
Is the server attempting to bind to another ldap server? This is the "secondary" server on the network an I have the main LDAP server in /etc/ldap.conf. Running an strace I do see slapd referencing this file:
open("/etc/ldap.conf", O_RDONLY) = 8 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fa1000 read(8, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 919 read(8, "", 4096) = 0 close(8) = 0 munmap(0xb7fa1000, 4096) = 0 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 brk(0x82b2000) = 0x82b2000 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 write(2, "slapd: sbind.c:76: ldap_simple_b"..., 95slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. ) = 95 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 tgkill(9691, 9691, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ Process 9691 detached
Does anyone have any ideas here?
Regards
Iain M Conochie
--On Thursday, February 24, 2011 4:25 PM +0000 Iain M Conochie iain@shihad.org wrote:
Good Afternoon,
I am attempting to upgrade my openldap 2.4.x installation to the latest release 2.4.24. I am compiling from source. I can start slapd as the root user but I am unable to start as a non-root user (e.g. ldap). I am receiving the following error message:
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted
Is the server attempting to bind to another ldap server? This is the "secondary" server on the network an I have the main LDAP server in /etc/ldap.conf. Running an strace I do see slapd referencing this file:
open("/etc/ldap.conf", O_RDONLY) = 8 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fa1000 read(8, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 919 read(8, "", 4096) = 0 close(8) = 0 munmap(0xb7fa1000, 4096) = 0 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 brk(0x82b2000) = 0x82b2000 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 write(2, "slapd: sbind.c:76: ldap_simple_b"..., 95slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. ) = 95 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 tgkill(9691, 9691, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ Process 9691 detached
Does anyone have any ideas here?
strace is generally useless. Make sure you built with debugging symbols, and use gdb to get a backtrace.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Thursday, February 24, 2011 4:25 PM +0000 Iain M Conochie iain@shihad.org wrote:
Good Afternoon,
<snip>
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted
<snip>
strace is generally useless. Make sure you built with debugging symbols, and use gdb to get a backtrace.
After reading some of the other threads on this list, it seems gdb is no good for running as non root user anyway. I have tried 2.4.23 and slapd can now run as a non-root user, so we are going with that version.
Cheers
Iain
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?
If default of 389, must be root to listen.
Cheers Brett
On Fri, Feb 25, 2011 at 2:25 AM, Iain M Conochie iain@shihad.org wrote:
Good Afternoon,
I am attempting to upgrade my openldap 2.4.x installation to the latest release 2.4.24. I am compiling from source. I can start slapd as the root user but I am unable to start as a non-root user (e.g. ldap). I am receiving the following error message:
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted
Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?
Nope
If default of 389, must be root to listen.
Interesting....
ps -ef |grep slapd ldap 30749 1 0 10:23 ? 00:00:00 /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXX02.XXXXXX.org ldaps://XXXX02.XXXXXX.org
netstat -anlp|grep slapd tcp 0 0 192.168.1.36:389 0.0.0.0:* LISTEN 30749/slapd tcp 0 0 192.168.1.36:636 0.0.0.0:* LISTEN 30749/slapd
This is with version 2.4.13, which as you can see is running as user ldap and bound to 2 ports < 1024
This is from the test box which I was using to compile 2.4.24, now running 2.4.23
/opt/openldap/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Feb 28 2011 16:00:12) $ root@rangers:/usr/local/src/openldap-2.4.23/servers/slapd
10:26:38 rangers:$ ps -ef |grep slapd ldap 1086 1 0 Feb28 ? 00:00:00 /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXXX.XXXXX.XXXXXX.org
netstat -anlp|grep slapd tcp 0 0 192.168.1.124:389 0.0.0.0:* LISTEN 1086/slapd
So slapd is able to start and bind to the port. I though this used a mechanism like that of apache whereby the daemon starts as root and then binds to the ports, then drops the privileges to the non-root user, or am I missing something?
Cheers
Iain
Cheers Brett
On Fri, Feb 25, 2011 at 2:25 AM, Iain M Conochie iain@shihad.org wrote:
Good Afternoon,
I am attempting to upgrade my openldap 2.4.x installation to the latest release 2.4.24. I am compiling from source. I can start slapd as the root user but I am unable to start as a non-root user (e.g. ldap). I am receiving the following error message:
/opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted
On Tue, Mar 1, 2011 at 8:30 PM, Iain M Conochie iain@shihad.org wrote:
Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?
Nope
If default of 389, must be root to listen.
Interesting....
ps -ef |grep slapd ldap 30749 1 0 10:23 ? 00:00:00 /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXX02.XXXXXX.org ldaps://XXXX02.XXXXXX.org
netstat -anlp|grep slapd tcp 0 0 192.168.1.36:389 0.0.0.0:* LISTEN 30749/slapd tcp 0 0 192.168.1.36:636 0.0.0.0:* LISTEN 30749/slapd
This is with version 2.4.13, which as you can see is running as user ldap and bound to 2 ports < 1024
A process that starts as root can choose to give up it's root permission after binding the privileged port, and switch to a given userid/group. I presume slapd switches to user "ldap", you don't need to be privileged to accept connections once the privileged listening socket has been bound by root.
As a security feature, once the process gives up root permissions, it cannot get them back, but it can still use the socket previously bound by root as it keeps a reference to the socket so it can listen on it for connections.
So slapd is able to start and bind to the port. I though this used a mechanism like that of apache whereby the daemon starts as root and then binds to the ports, then drops the privileges to the non-root user, or am I missing something?
Nope. Apache needs to start as root if listen port <1024, it then gives up it's permission for the worker threads that actually do the work. The session leader still runs as root, but it does not do any actual work but manage the non-root children.
Re: apache non-root here is a link you might be interested in :
http://jsdelfino.blogspot.com/2010/03/binding-to-port-80-without-running-as....
It is a small program which takes a root-owned port and redirects the traffic to an unprivileged port. I don't see the point myself, but it might be good for people that have high security requirements (or are happily paranoid).
For me, something like iptables (forward) / rinetd (but another program) might be just as good, and this would work for both apache and slapd.
Once the FORWARD rule is configured (by root) in iptables, you could then run your server process on any non-privileged port and could run it as a non-root user and start / stop / manage it as a non-root user.
The incoming 80/389 connection would be redirected to port 50080,50389 or something like that, which would be where your non-root server process listens.
Cheers Brett
On Tue, Mar 1, 2011 at 8:30 PM, Iain M Conochie iain@shihad.org wrote:
Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?
Nope
If default of 389, must be root to listen.
Interesting....
ps -ef |grep slapd ldap 30749 1 0 10:23 ? 00:00:00 /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXX02.XXXXXX.org ldaps://XXXX02.XXXXXX.org
netstat -anlp|grep slapd tcp 0 0 192.168.1.36:389 0.0.0.0:* LISTEN 30749/slapd tcp 0 0 192.168.1.36:636 0.0.0.0:* LISTEN 30749/slapd
This is with version 2.4.13, which as you can see is running as user ldap and bound to 2 ports < 1024
A process that starts as root can choose to give up it's root permission after binding the privileged port, and switch to a given userid/group. I presume slapd switches to user "ldap", you don't need to be privileged to accept connections once the privileged listening socket has been bound by root.
Yup
As a security feature, once the process gives up root permissions, it cannot get them back, but it can still use the socket previously bound by root as it keeps a reference to the socket so it can listen on it for connections.
Naturally. The reason I want to run slapd as user "ldap" is for this reason. If I do not have to run something as root I do not :)
So slapd is able to start and bind to the port. I though this used a mechanism like that of apache whereby the daemon starts as root and then binds to the ports, then drops the privileges to the non-root user, or am I missing something?
Nope. Apache needs to start as root if listen port <1024, it then gives up it's permission for the worker threads that actually do the work. The session leader still runs as root, but it does not do any actual work but manage the non-root children.
<snip some very useful info I will look at later>
Well - I have managed to get 2.4.23 working starting as root and using the -g and -u options to actually run as user ldap. 2.4.24 was NOT able to do that giving the error above. Since I have a working version now I am pretty happy.
However the error that 2.4.24 gives seems bizarre. I can do more testing on this if you want further info; perhaps slapd is unable to find the user ldap?
Thanks for your help
Cheers
Iain
Cheers Brett
--On Tuesday, March 01, 2011 1:30 PM +0000 Iain M Conochie iain@shihad.org wrote:
Well - I have managed to get 2.4.23 working starting as root and using the -g and -u options to actually run as user ldap. 2.4.24 was NOT able to do that giving the error above. Since I have a working version now I am pretty happy.
However the error that 2.4.24 gives seems bizarre. I can do more testing on this if you want further info; perhaps slapd is unable to find the user ldap?
Use slapd -d -1 -u ldap -g ldap
on OpenLDAP 2.4.24, and see what it reports. It should certainly work with 2.4.24 as well as 2.4.23.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 01/03/2011 15:40, Quanah Gibson-Mount wrote:
--On Tuesday, March 01, 2011 1:30 PM +0000 Iain M Conochie iain@shihad.org wrote:
Well - I have managed to get 2.4.23 working starting as root and using the -g and -u options to actually run as user ldap. 2.4.24 was NOT able to do that giving the error above. Since I have a working version now I am pretty happy.
However the error that 2.4.24 gives seems bizarre. I can do more testing on this if you want further info; perhaps slapd is unable to find the user ldap?
Use slapd -d -1 -u ldap -g ldap
on OpenLDAP 2.4.24, and see what it reports. It should certainly work with 2.4.24 as well as 2.4.23.
OK. I think I have found the issue.
These servers use ldap for authentication. When I remove the local /etc/ldap.conf file 2.4.24 starts fine as user ldap. When I have the local /etc/ldap.conf file slapd 2.4.24 refuses to start. So it looks like slapd 2.4.24 is unable to find the ldap user when ldap authentication is in effect.
Now this user is local to the machine (i.e. has and entry in /etc/passwd etc) and is not in the ldap directory. (hence slapd can start without the ldap authentication.
As I say 2.4.23 seems fine so we are going with this.
Thanks
Iain
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
On Tuesday, 1 March 2011 17:47:55 Iain M Conochie wrote:
On 01/03/2011 15:40, Quanah Gibson-Mount wrote:
--On Tuesday, March 01, 2011 1:30 PM +0000 Iain M Conochie
iain@shihad.org wrote:
Well - I have managed to get 2.4.23 working starting as root and using the -g and -u options to actually run as user ldap. 2.4.24 was NOT able to do that giving the error above. Since I have a working version now I am pretty happy.
However the error that 2.4.24 gives seems bizarre. I can do more testing on this if you want further info; perhaps slapd is unable to find the user ldap?
Use slapd -d -1 -u ldap -g ldap
on OpenLDAP 2.4.24, and see what it reports. It should certainly work with 2.4.24 as well as 2.4.23.
OK. I think I have found the issue.
These servers use ldap for authentication. When I remove the local /etc/ldap.conf file 2.4.24 starts fine as user ldap. When I have the local /etc/ldap.conf file slapd 2.4.24 refuses to start. So it looks like slapd 2.4.24 is unable to find the ldap user when ldap authentication is in effect.
ldap user enumeration. I doubt this is related to any actual authentication.
Now this user is local to the machine (i.e. has and entry in /etc/passwd etc) and is not in the ldap directory. (hence slapd can start without the ldap authentication.
No problems here:
[root@tiger ~]# /etc/init.d/ldap status slapd (pid 21317) is running... [root@tiger ~]# getent passwd bgmilne bgmilne:x:501:501:Buchan Milne:/home/bgmilne:/bin/bash [root@tiger ~]# /etc/init.d/ldap stop Stopping slapd: [ OK ] [root@tiger ~]# getent passwd bgmilne [root@tiger ~]# slapd -VV @(#) $OpenLDAP: slapd 2.4.24 (Feb 28 2011 12:58:04) $ bgmilne@tiger.ranger.dnsalias.com:/home/bgmilne/rpm/BUILD/openldap-2.4.24/servers/slapd
[root@tiger ~]# /etc/init.d/ldap start Starting slapd (ldap + ldaps): [ OK ] [root@tiger ~]#
As I say 2.4.23 seems fine so we are going with this.
You may want to have a look at the changelog first ...
BTW., your subject is misleading, I have no interest in OpenLDAP 2.2.x, so I didn't pay much attention until now ...
Regards, Buchan
<snip>
OK. I think I have found the issue.
These servers use ldap for authentication. When I remove the local /etc/ldap.conf file 2.4.24 starts fine as user ldap. When I have the local /etc/ldap.conf file slapd 2.4.24 refuses to start. So it looks like slapd 2.4.24 is unable to find the ldap user when ldap authentication is in effect.
ldap user enumeration. I doubt this is related to any actual authentication.
True true - I tend to treat name -> uid mappings and authentication as one thing - my bad.
So thinking about this I may have found the issue. The enumeration and authentication using the nss_ldap library was compiled against a different version of openldap; i.e. the one installed as system software withthe package manager. I have removed this version, re-compiled nss_ldap and I can get this to start now.
Thanks for all the pointers
<snip>
BTW., your subject is misleading, I have no interest in OpenLDAP 2.2.x, so I didn't pay much attention until now ...
Subject line changed.
Cheers
Iain
Regards, Buchan
openldap-technical@openldap.org
-
Brett @Google -
Buchan Milne -
Iain M Conochie -
Quanah Gibson-Mount